V3 Identity API: Remove unscoped tokens
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Opinion
|
Wishlist
|
Unassigned |
Bug Description
In V3, unscoped tokens are rare, but still possible. A caller must specify neither a project nor a domain, and the user must not have a valid default project.
I think we should actually remove unscoped tokens entirely in V3, and return a domain token if the user does not specify a domain or project and has no valid default project. I don't see what we gain from distinguishing between a domain token vs an unscoped user token (which implicity has a domain, because a user has a domain).
In short, currently we fall back to an unscoped token if no domain & project is specified and the user does not have a valid default project. That seems to be the only way to get an unscoped token. Instead, we should return a domain token.
This would also ensure compatibility with V2 (filed as a related bug). We would essentially be renaming an unscoped token to be a domain token. Unscoped tokens always identified a domain, because every token identified a user, and every user identified a domain.
Changed in keystone: | |
importance: | Undecided → Wishlist |
status: | New → Opinion |
If I understood correctly
Unscoped token : Token scoped to users domain
Domain token : Token scoped to cross domain ( some other domain)
Project token : Token scoped to domain